Investigatory Powers Tribunal also says "thematic warrants" to hack an entire city are fine.

The Investigatory Powers Tribunal (IPT), the body that hears complaints about the UK's intelligence services, has ruled that it is legal for GCHQ to hack into systems, both in the UK and abroad, and to install spyware on them.

However, following the legal action by Privacy International and a group of seven ISPs, GCHQ for the first time has admitted that it "undertakes both 'persistent' and 'non-persistent' CNE [Computer Network Exploitation—hacking] operations, namely both where an ‘implant’ expires at the end of a user’s internet session and where it 'resides' on a computer for an extended period."

The admission that it breaks into systems and installs spyware is a minor victory for transparency, and represents a shift from the UK government's traditional "neither confirm nor deny" position. GCHQ has also revealed that in 2013 about 20 percent of its intelligence reports contained information derived from hacking.

However, as Privacy International said: "This case exposed not only these secret practices but also the undemocratic manner in which the Government sought to backdate powers to do this under the radar. Just because the Government magically produces guidelines for hacking should not legitimise this practice."

Privacy International has also expressed concern about another key aspect of the IPT's ruling: "The IPT has decided that GCHQ can use 'thematic warrants', which means GCHQ can hack an entire class of property or persons, such as 'all phones in Birmingham'. In doing so, it has upended a longstanding English common law principle that such general warrants are unlawful."

Further Reading

As the digital rights group pointed out, UK parliament's Intelligence and Security Committee shares that concern: last week it called for "Bulk Equipment Interference warrants"—thematic warrants—to be removed completely from the proposed Snooper's Charter.

Privacy International added: "We will challenge this undermining of the fundamental right that a warrant should identify a specific property or person." Privacy International told Ars it will take its case to either the Court of Justice of the European Union, or the European Court of Human Rights, but is still discussing internally which path would be best.

In a final curious twist, the IPT judgment has been taken down from its original location. The IPT told Ars that this was because some changes needed to be made to the document, but no further details were available. We will update this post with details if any of these turn out to be significant. In the meantime, a cached version of the original judgment is still available.